From:
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To:
mark(at)mark(dot)mielke(dot)cc
Cc:
Andrew Dunstan <andrew(at)dunslane(dot)net>,
Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>,
"Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>,
Andreas Pflug <pgadmin(at)pse-consulting(dot)de>,
"Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>,
pgsql-hackers(at)postgresql(dot)org
Subject:
Re: Why don't we allow DNS names in pg_hba.conf?
Date:
2006-01-03 18:21:52
Message-ID:
18463.1136312512@sss.pgh.pa.us (view raw or flat )
Thread:
2006-01-01 18:30:46 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 18:50:37 from "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org>
2006-01-01 19:02:03 from Martijn van Oosterhout <kleptog(at)svana(dot)org>
2006-01-01 20:14:45 from John DeSoi <desoi(at)pgedit(dot)com>
2006-01-01 20:03:00 from Andreas Pflug <pgadmin(at)pse-consulting(dot)de>
2006-01-02 18:09:45 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-02 18:23:42 from Mike Rylander <mrylander(at)gmail(dot)com>
2006-01-02 18:26:20 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-02 18:55:53 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-02 19:06:38 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 16:18:12 from "Jim C(dot) Nasby" <jnasby(at)pervasive(dot)com>
2006-01-03 16:54:01 from Euler Taveira de Oliveira <eulerto(at)yahoo(dot)com(dot)br>
2006-01-03 17:34:59 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-01-03 17:43:03 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 18:15:45 from mark(at)mark(dot)mielke(dot)cc
2006-01-03 18:21:52 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 03:42:31 from Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us>
2006-02-13 12:57:24 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 15:00:34 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 15:40:31 from mark(at)mark(dot)mielke(dot)cc
2006-02-13 15:48:39 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 15:44:57 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 15:30:39 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 16:57:48 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 16:54:43 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 19:38:38 from "Mark Woodward" <pgsql(at)mohawksoft(dot)com>
2006-02-13 20:07:09 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-02-13 20:21:30 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-02-13 20:29:33 from "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
2006-02-13 20:35:19 from Gregory Maxwell <gmaxwell(at)gmail(dot)com>
2006-02-13 20:44:49 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-03 18:21:33 from Tino Wildenhain <tino(at)wildenhain(dot)de>
2006-01-03 20:00:24 from Jon Jensen <jon(at)endpoint(dot)com>
2006-01-01 20:04:47 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 21:14:41 from Peter Eisentraut <peter_e(at)gmx(dot)net>
2006-01-01 21:49:57 from Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
2006-01-01 23:37:22 from Andrew Dunstan <andrew(at)dunslane(dot)net>
2006-01-02 03:36:02 from elein <elein(at)varlena(dot)com>
2006-01-02 08:51:23 from <pmagnoli(at)systemevolution(dot)it>
Lists:
pgsql-hackers
mark(at)mark(dot)mielke(dot)cc writes:
> On Tue, Jan 03, 2006 at 12:43:03PM -0500, Tom Lane wrote:
>> I'm not sure about the relative usefulness of this compared to the
>> forward-lookup case, nor whether it's riskier or less risky from a
>> spoofing point of view. But something to consider.
> I think it's riskier. I have my own PTR records, that I can make be
> whatever I wish without any authority verifying that my actions are
> proper.
Yeah, that occurred to me after a few moments' thought. We could do one
extra forward lookup to confirm that the reverse-lookup name maps back
to the IP address.
> It's not a big deal.
Depends on how many names you want to put into pg_hba.conf. I don't
offhand see a use-case for very many, but maybe there is one. Even
if there are a lot, they'd not be expensive to look up if there is
a local nameserver that is authoritative for those names ... which
I'd think would be the normal case. The more "outside" names you've
got in pg_hba.conf, the more open you are to spoofing.
regards, tom lane
In response to
Responses
pgsql-hackers by date
Next :From: Stephen FrostDate: 2006-01-03 18:30:56Subject : Re: [Bizgres-general] WAL bypass for INSERT, UPDATE andPrevious :From : Tino WildenhainDate : 2006-01-03 18:21:33Subject : Re: Why don't we allow DNS names in pg_hba.conf?
